W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [blink-dev] Proposal: Marking HTTP As Non-Secure

From: Craig Francis <craig.francis@gmail.com>
Date: Wed, 7 Jan 2015 10:35:10 +0000
Cc: Jiri Danek <softwaredevjirka@gmail.com>, "mozilla-dev-security@lists.mozilla.org" <mozilla-dev-security@lists.mozilla.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>, blink-dev <blink-dev@chromium.org>
Message-Id: <4B5EBC0A-3E7C-4A71-A736-C96D718FE12A@gmail.com>
To: Jim Manico <jim.manico@owasp.org>

On 3 Jan 2015, at 20:55, Jim Manico <jim.manico@owasp.org> wrote:

>> It's one of the reasons I'm really pushing for a security tab in the web dev tools, to help with education and usage of the features that are available... i.e. have you tried implementing a CSP header before? it's good fun :-)
> 
> Cool. I'm running CSP on several of my sites. Easy to set up for new
> development, lots of tools out there to make it easier. script hashing
> and script noncing are awesome. I can even easily protect inline
> scripts now...
> 
> Building complex websites is very tough. Security is just another
> engineering task... :)



Very true... but I personally don't think we have the tools in place to help developers know about (or use) these security features... e.g. any feedback for a failed HPKP header?

https://code.google.com/p/chromium/issues/detail?id=445793

But either way, well done with using CSP... personally I'm still not sure about using inline JS with nonces/hashes as I don't want to block out older browsers.

Which reminds me, I need to find out which browser versions don't understand paths after the domain name, as I want to specify them, but will need to do some UA sniffing to strip the paths for them... I have a feeling it might be Firefox, where v34 seems to ignore the path (only working against the domain), but I think an earlier version dropped the whole thing (blocking everything).

But getting back to marking HTTP as non-secure... all of these features are useless without HTTPS (easy to strip the CSP header over HTTP)... and that's why the more generic solution seems to be the only way, especially as ianG points out, this is the perfect time to be doing this (not that I don't like your idea of alerting users about passwords, I just think there are too many ways around it to be effective).

Craig
Received on Wednesday, 7 January 2015 10:35:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC